ElectionGuard isn't designed to make voting machines safe from hackers. It's meant to make hacking them pointless.
Building 83 doesn't stand out on Microsoft's massive Redmond, Washington, headquarters. But last week, the nameless structure hosted what might be the software giant's most important product of 2020.
Tucked away in the corner of a meeting room, a sign reading "ElectionGuard" identifies a touchscreen that asks people to cast their votes. An Xbox adaptive controller is connected to it, as are an all-white printer and a white ballot box for paper votes. If you didn't look carefully, you might have mistaken all that for an array of office supplies.
ElectionGuard is open-source voting-machine software that Microsoft announced in May 2019. In Microsoft's demo, voters make their choices by touchscreen before printing out two copies. A voter is supposed to double-check one copy before placing it into a ballot box to be counted by election workers. The other is a backup record with a QR code the voter can use to check that the vote was counted after polls close.
With ElectionGuard, Microsoft isn't setting out to create an unhackable vote -- no one thinks that's possible -- but rather a vote in which hacks would be quickly noticed.
The product demo was far quieter than the typical big tech launch. No flashy lights or hordes of company employees cheering their own product, like Microsoft's dual screen phone, its highly anticipated dual-screen laptop or its new Xbox Series X.
And yet, if everything goes right, ElectionGuard could have an impact that lasts well beyond the flashy products in Microsoft's pipeline.
ElectionGuard addresses what has become a crucial concern in US democracy: the integrity of the vote. The software is designed to establish end-to-end verification for voting machines. A voter can check whether his or her vote was counted. If a hacker had managed to alter a vote, it would be immediately obvious because encryption attached to the vote wouldn't have changed.
The open-source software has been available since last September. But Microsoft gets its first real-world test on Tuesday, when ElectionGuard is used in a local vote in Fulton, Wisconsin.
The local election will provide Microsoft an opportunity to find blind spots in the ElectionGuard system. The question is how many it will find. During ElectionGuard's first demo at the Aspen Security Forum last July, Microsoft identified some user experience flaws. A big one: Voters were confused as to why two sheets of paper were printing out.
"This is a critical, important part of why we're having this pilot next week," Tom Burt, Microsoft's corporate vice president for customer security and trust, told a group of reporters at Building 83. "To find out, does this stuff all work? Do people verify? Do they do these things?"
Microsoft isn't alone in looking to keep the vote safe from hackers, disinformation campaigns and other forms of interference. Tech giants, election officials and governments around the world are all tackling the issue after cyberattacks played a key role in the 2016 US presidential election.
Election security poses a maze of concerns beyond the potential for voting machines to be compromised. Political campaigns have been targeted, voter registration databases have been hacked and a lack of funding or training -- sometimes both -- has hampered local officials. Then there are the coordinated disinformation campaigns that use social media to undercut democracy.
The Department of Homeland Security says no votes have been tampered with in the last four US elections. But that doesn't mean voting machines can't be hacked. In 2017, the Defcon hacker conference introduced a Voter Hacking Village. Every year since then, attendees have found security issues with machines used in actual elections. Sometimes the vulnerabilities were found in as little as 15 minutes.
Many of these machines are still being used because red tape prevents software patches or the budget isn't available to replace them.
Even if no votes had been hacked, the vulnerabilities present another thing to fret about: disinformation about the integrity of election results. US officials consider that to be more worrisome than a cyberattack. If you can be convinced that your vote was hacked, you lose confidence in the results. That's potentially as powerful as the effects of an actual hack.
Microsoft isn't alone in proposing solutions to the problem. Since 2016, many tech giants have rolled out programs aimed at buttressing trust in the system. Google's Advanced Protection Program for political campaigns protects their accounts from basic cyberattacks. Facebook has plans to take on disinformation campaigns and protect campaigns that use the social network.
Still, Microsoft is the first major tech company to directly address voting machine infrastructure, the front line of election security. But it isn't promising that ElectionGuard prevents machines from being hacked. Rather, it's promising to make it obvious if a machine is hacked.
"This is not a system that cannot be hacked by an adversary. it is a system that is pointless for an adversary to hack," Burt said. "Even if they can figure out a way to somehow influence that or change that, it would be detected by the system, and you can go to the paper ballots and do a hand count if you needed to."
Most election security experts will tell you that technology and voting tend to make a bad cocktail.
It's why lawmakers like Sen. Ron Wyden, a Democrat from Oregon, has long advocated for paper ballots to keep elections secure. There's a long history of security concerns with election technology, and Microsoft is walking a tightrope with ElectionGuard.
MIT computer science researchers, for instance, found significant security issues with the Voatz mobile voting app, including the ability to change votes. Voatz said that the researchers' information was incomplete.
And it doesn't require an expert to tell you that technology has failed democracy in the 2020 presidential campaign. The important Iowa caucuses crumbled under the rushed rollout of a vote-tallying app that was too complicated for election volunteers.
When asked about the Iowa caucuses, Anne Johnson, corporate vice president of Microsoft's Cybersecurity Solutions Group, couldn't help but laugh at the blunder.
"Let me just say, don't test in production," Johnson joked at the company's Redmond headquarters. "That wasn't a cybersecurity issue. That was a dev issue."
Microsoft has that maxim clearly in mind with ElectionGuard's debut. It's why the software giant deliberately worked with a small Wisconsin town that has about 500 registered voters. The vote is for the town's school board and a local judge. ElectionGuard will also serve as the backup to paper ballots, rather than the primary voting method.
Burt said the company hopes to learn how ElectionGuard gets used by voters, election officials and poll workers. The Wisconsin elections board decided in June 2019 to work with Microsoft on the pilot, but the ElectionGuard system hasn't been certified for standard use in the state, according to a statement from the Wisconsin Elections Commission.
"We hope this pilot test will give us further insights into how the system works and whether voters like it," said Meagan Wolfe, administrator of the Wisconsin Elections Commission. "We can use this data as we try to make elections in Wisconsin even more secure, usable and accessible."
The pilot is intended to be the first of many for Microsoft over the next few years. ElectionGuard won't be used for any major elections in 2020, the company said. With so many opportunities to bungle ElectionGuard's rollout, and so few to redeem it, Microsoft is being careful with how it presents the technology.
"We're basically trying to test in a very controlled environment where the outcome of the election is in no way dependent on the technology," Burt said. "We just want to test, 'How does it work? What can we learn? What we need to change and improve?'"
ElectionGuard works through a process known as "homomorphic encryption," a concept first introduced in 1987 by Josh Benaloh, a Microsoft Research senior cryptographer.
Your vote is meant to be private. Private votes make intimidation or bribery useless, since no one can confirm you voted a certain way.
Microsoft's encryption also keeps the vote secret by converting choices into random lines of code until they're decrypted.
Votes shouldn't be decrypted, however, since they're intended to stay private. Homomorphic encryption allows for counting votes while they remain secret, according to Benaloh.
"It's sort of structured gibberish," the cryptographer said. "Yes, it's gibberish. Yes, you can't tell what it is. But it retains enough structure that you can actually work with it rather than just ungibberishing it."
With ElectionGuard, Benaloh said, only the final tally should be decrypted, not individual votes.
At Microsoft's demo for its new system, R.C. Carter, the company's director of strategic projects, explained that ElectionGuard would run parallel to paper ballots.
After a vote is cast on the touchscreen, the digital vote is encrypted and tallied. The vote would also be printed out, verified by the voter, then placed in a ballot box next to it. The printout would come with two sheets of paper: one for the ballot box, and the other, which bears your votes and a QR code, to serve as a receipt to verify your vote later online.
Election officials count the paper ballots, the usual and most secure method. The counted paper ballots are the election results, not those submitted digitally. The count takes place offline, after the polls closed.
Once that happens, the encrypted votes are collected as a .ZIP file that anyone can download and use to verify the votes.
If something didn't match up, a voter could look at the encrypted vote to see if anything had been tampered with.
"If you can't stop the hack, the second-best thing is to know that you've been hacked," Carter said. "This is exactly what this does."
ElectionGuard addresses many voting machine security concerns. But not all of them.
It's open-source, which means that it's free and can be adapted for any machine. That helps local election officials facing budget issues. It also allows major election machine makers to implement it on their hardware across the board.
Cutting through red tape surrounding election machines, however, is another obstacle.
Different states have different regulations on complying with the Election Assistance Commission, a US agency that develops voting system guidelines. Getting the EAC's certification has become a major challenge for election security, Burt said.
Microsoft found that many election counties were using outdated Windows machines because EAC guidelines required a complete recertification process just to apply simple security patches, for example. Installing an entirely new voting system would be another hurdle for certification, Burt said.
"The process of certifying is incredibly slow and burdensome," Burt said. "What it really is going to require is a refresh of devices in the market. You can't take some old Windows 7 voting machine and download ElectionGuard and stick it in."
Another human error concern that Microsoft will have to address is that people tend to fail at verifying their own votes, or even reporting it when there's something wrong.
In a study from the University of Michigan published in January, researchers found that only 6.6% of 241 voters in a mock election told poll workers there was an issue, despite all the machines being rigged to show errors on the printed-out vote. Without any intervention, only 40% of the voters actually reported the issue to the voting officials, the study found.
And even if it were reported, election security experts don't expect much recourse over detected errors.
"Being able to verify something is not a remedy if there's no recourse," said Harri Hursti, an election security expert and co-founder of Defcon's Voter Hacking Village. "Most people don't want to do things twice. It's just human nature and human behavior."
Microsoft is hoping to address the nonreporting issue by training the poll workers in Wisconsin to prompt voters to check their ballots once they've been cast. In Wisconsin, poll workers have to sign ballots before they're cast, and that's when they'll also tell voters to verify their vote.
The University of Michigan study found that reporting errors jumped from 6.6% to 85.7% when poll workers encouraged people to check their vote.
During tests with election volunteers, Microsoft found that small adjustments like changing the color on printouts could also be effective.
"One simple thing we've done that already looks like it's working super well in Wisconsin is the ballot comes out white, the verification code is going to be printed on a piece of yellow paper, just so you have that visual difference," Burt said, referring to test runs conducted last week with election volunteers.
Human error isn't the only concern for ElectionGuard. Microsoft has put the system through a bug bounty program. It also invited NCC Group, a security research firm, to do an independent review of the software last September.
Researchers have submitted bug bounties on ElectionGuard for review, though Microsoft has yet to make any payouts, Carter said. Microsoft is also working to change ElectionGuard's core programming language from C, after NCC Group pointed to vulnerability issues.
If all goes well, Microsoft and ElectionGuard could change the way votes are counted and verified around the world, introducing a new layer of security to protect democracies. The company is considering possibilities of what could go wrong and carefully rolling out ElectionGuard in pilot tests in smaller elections over the next year. But other adopters might not be so cautious.
As an open-source tool, it's available to the world, and a public failure -- something like the Iowa caucuses app debacle -- could tarnish ElectionGuard's image even if Microsoft had nothing to do with it.
"You've put your finger on a valid concern. I won't deny it," Microsoft's Benaloh said. "There is risk there. There is some subtlety to how to use it properly."
Burt said that governments around the world have been interested in using ElectionGuard, some for countrywide elections.
"We just heard from a developer in a European country who's been contracted to build the ElectionGuard system for city elections," Burt said. "And we had no idea they were doing that. That's the nature of open-source projects. You put stuff up there and say, 'It's here for anyone to use.'"
Election machines that go perfectly right in testing and demonstrations might experience issues when used in the real world. That's what Galois, a government contractor, learned when it brought DARPA's $10 million voting machine to Defcon to see if hackers could find issues with its security. An unexpected bug prevented the machine from working until the last day.
Microsoft worked with Galois to help develop ElectionGuard's software as well. Joey Dodds, a research engineer at Galois, said the open-source tool is still very much in a testing phase and he doesn't expect it to be used in an actual election with major consequences until 2024 at the earliest.
He acknowledged that ElectionGuard is solving for a small part of election security, and that hackers still have many ways to meddle with democracies.
"It is not a complete solution for electronic voting without a backup," Dodds said. "It is not going to have anything to say about poll books, voter registration, anything that happens prior to ballot recording and casting. That's all going to require different approaches."
Even if the technology behind Microsoft's ElectionGuard was perfect, it would have to deal with motivated disinformation campaigns mixed with human error from all sides -- voters, poll workers and third-party developers using the open-source tools.
"There are still plenty of opportunities to screw it up, but ElectionGuard gives you a framework to work forward," said Tod Beardsley, director of research at security firm Rapid7. "We'll see if it's actually implemented right."